friday evening linkdump of sorts

So, I don’t make you all sit through my deli.cio.us links auto-posting, but sometimes I have a few unrelated things to share that don’t really have their own full posts to go along with them. So here are a few things that are only sort of library related that I think you might be interested in.

“E-problem” puts 15,000 library patrons’ info on Internet

Please read this newspaper’s account of how 15,000 library patrons’ personal information — names, phone numbers, e-mail addresses, street addresses, children’s names and library card numbers — wound up accessible to the public as a result of… something happening to the systems at the Lakeland Library Cooperative in Michigan. That’s the rub, they’re not even sure. The interim director (what a lousy time to be an interim director) said that they “think there was a software malfunction” and then later in the article is paraphrased as saying “the library last month underwent a software upgrade on their system, but was not able to determine if that was the source of the problem.” Does this inspire confidence? No, it does not. E-problems?

Mistakes happen, we all know that, but this story tells me that either the reporter doesn’t understand computers enough to write about this incident, or that the person who runs the Library Cooperative does not understand what happened, or possibly both. I’m aware that there is always a third option, that they are trying to be deliberately obscure to keep people from hacking into their system, but if I were a patron of one of the affected libraries, I’d like mor information, a lot more. This is a file that is on the web, right? There should be log files that show how many times that page was accessed. Wouldn’t it be reassuring if that number was, say, three instead of perhaps a hundred? There is nothing on any of the Coop’s web sites about this incident even though the news story has been online all day (I found it through LISNews).

Oddly it looks like the previous director left the job somewhat mysteriously a few weeks ago. According to this short story, all the member libraries will be notified and 15000 new bar codes will be issued.

rfid library tags unlocked, vulnerable

RFID hacking in, among other places, libraries. More on RFID.

As he waves the reader over a book’s spine, ID numbers pop up on his monitor. “I can definitely overwrite these tags,” Molnar says. He finds an empty page in the RFID’s memory and types “AB.” When he scans the book again, we see the barcode with the letters “AB” next to it. (Molnar hastily erases the “AB,” saying that he despises library vandalism.) He fumes at the Oakland library’s failure to lock the writable area. “I could erase the barcodes and then lock the tags. The library would have to replace them all.”

RFID best practices

The American Library Association was one of many companies and public interest groups that helped create a set of best practices for RFID. They include these three general principles about RFID, as it relates to privacy:

Technology Neutrality: RFID technology in and of itself does not impose threats to privacy. Rather privacy breaches occur when RFID, like any technology, is deployed in a way that is not consistent with responsible information management practices that foster sound privacy protection.

Privacy and Security as Primary Design Requirements: Users of RFID technology should address the privacy and security issues as part of its initial design. Rather than retrofitting RFID systems to respond to privacy and security issues, it is much preferable that privacy and security should be designed in from the beginning.

Consumer Transparency: There should be no secret RFID tags or readers. Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology (including tags, readers and storage of PII) as they engage in any transaction that utilizes an RFID system. At the same time, it is important to recognize that notice alone does not mitigate all concerns about privacy. Notice alone does not, for example, justify any inappropriate data collection or sharing, and/or the failure to deploy appropriate security measures. Notice must be supplemented by thoughtful, robust implementation of responsible information practices.

while you were midwintering….

Hi. I’m back and very tired. Midwinter went fairly well from my perspective. Council meetings seemed effective. I got to see most of the people i tried to see and had some nice serendipitous meetings with others. My company was part usual suspects and part people I’d never met before including a healthy dose of library students. I learned things. I took a lot of public transportation in an unfamiliar city. I stayed within my budget and I got home feeling smarter than when I left. I have a stack of paperwork that I’d like to share parts of with you but it will need to wait until the weekend.

In the meantime, while we were all at the meeting, this happened “City stalls FBI access in library” referring to the librarian at the Newton Free Library in Massachusetts who wouldn’t let FBI agents in to search library computers without a warrant after there had been emailed threats directed towards Brandeis University sent from one of the library computers. According to an article in the Boston Herald, this was done with the mayor’s knowledge and backing but everyone seems set to blame the librarian anyhow. This was a big enough news items to be the butt of a lot of jokes on talk radio by the time I was driving home from the airport. I’m just starting to read about this story, but correct me if I’m wrong, couldn’t the agents have just asked for the data on the computers, using the USA PATRIOT Act as their legal justification? This seems like a case where they were reluctant to for some reason. The Boston Globe article on the subject says this

[B]y the time a warrant became an issue, law enforcement officials had determined there was no imminent danger and decided to cooperate with Newton officials, Marcinkiewicz said. She said no arrests had been made as of yesterday afternoon. [emphasis mine]

above the fold retraction: there was no Little Red Book ILL

From the Daily Kos, my comments, and I’m sure many other places. Federal agents’ visit was a hoax Student admits he lied about Mao book

update re: ILL/Mao/DHS

Two stories in Southcoast Today [also in print in the Standard Times] following up on the Homeland Security/ILL report from yesterday. ‘Little Red Book’ story gets wide publicity , an article reporting on the publicity and with several statements from additional folks involved, most notably Homeland Security officials calling the scenario described “unlikely”. Also UMass Dartmouth statement on “Little Red Book” denying that they passed on any confidential information to agents or anyone else. [thanks aaron]

Little Red Book ILL gets patron a visit from Homeland Security

A student did an ILL for a specific version of Mao’s Little Red Book and wound up getting a visit from Homeland Security. Obviously, there is more to this story than the short news article, but the article alleges that the Department of Homeland Security monitors Interlibrary Loan requests.

update from the bs detector alert: An ALA Councilor notes that there are two versions of this story circulating with different names attached which definitely sounds fishy and makes it worth further investigation into what exactly is going on. Other councilors have emailed the prof from UCSC mentioned in the second article and he said it was the first he’d heard of it. I’ve emailed the reporter and one of the professors cited in the recent article and I’ll let you know what I find out, if anything. Fellow Councilor Rory Litwin has posted this follow-up to the Council list with more first hand information from one of the profesors involved. I posted a follow-up including some feedback I’d gotten from the reporter of the most recent article. BoingBoing is faster with the summary action than I am.

This is all coming on the heels of some unpleasant revelations about the current administration’s use of the National Security Agency to surveil domestic targets without getting FISA court approval. Who would have thought that this decade would be the one where all llibrarians learned what FISA stood for? How many of you watched CSPAN a little more carefully than usual this weekend [or is my house the only house that does this] to see what happened with the USA PATRIOT Act?

one more privacy concern: printers?

EFF’s blog has a post about a new way libraries could accidentally infringe on patron privacy. Some common color laser printers have the ability to encode uniquiely identifying and traceable information into pages they print. If you care enough about patron privacy to not reveal if a patron has a library card, would you care enough to not reveal that they have used your computers/printers?

According to experts, several printer companies quietly encode the serial number and the manufacturing code of their color laser printers and color copiers on every document those machines produce. Governments, including the United States, already use the hidden markings to track counterfeiters.

Peter Crean, a senior research fellow at Xerox, says his company’s laser printers, copiers and multifunction workstations, such as its WorkCentre Pro series, put the “serial number of each machine coded in little yellow dots” in every printout. The millimeter-sized dots appear about every inch on a page, nestled within the printed words and margins.

color me unsuprised, law enforcement do ask about patron reading habits

Libraries Say Yes, Officials Do Quiz Them About Users, in the NY Times today, according to the results of a recent ALA survey. While this is not evidence of USA PATRIOT Act abuses per se, it points to increasing concern on the part of law enforcement of what people are reading [the article points to a cases of libraries being asked for a list of patrons who had checked out a book about Osama bin Laden] in ways that compromise state library privacy laws. As of this morning, ALA has missed a chance to capitalize on this good press by having anything at all mentioning this study on the front page of their web site, pity.

Ms. Sheketoff at the [American] library association acknowledged that critics of the study may accuse the group of having a stake in the outcome of the Patriot Act debate. “Sure, we have a dog in this fight, but the other side has been mocking us for four years over our ‘baseless hysteria,’ and saying we have no reason to be concerned,” she said. “Well, these findings say that we do have reason to be concerned.”